Home » RDBMS Server » Security » Check whether default password has been changed by user
Check whether default password has been changed by user [message #43638] Wed, 13 August 2003 01:16 Go to next message
I B Pawar
Messages: 1
Registered: August 2003
Junior Member
We have created users in Oracle 8.1.7 database with username as number of 5 digits and the password is set same as username (i.e. the five digit number) at the time of user creation. The user is supposed to change the password when she/he first logs in. Now, I need for suggesting a script to find out which of the users have not changed the default password.

Please e-mail me on the above address also.

Report message to a moderator

Re: Check whether default password has been changed by user [message #43663 is a reply to message #43638] Thu, 14 August 2003 14:49 Go to previous messageGo to next message
Armani
Messages: 3
Registered: April 2002
Junior Member
It would be better if you just set an expire time on the deafult password you created by assigning profiles to the users you create...this FORCES any user to change their password at their first logon attempt or after x amount of tries you decide.

or

You can just

SQL> alter user janedoe password expire;

User Aletered.

Next time Jane Doe tries to login, she will be prompted for a new password.

Report message to a moderator

Re: Check whether default password has been changed by user [message #43664 is a reply to message #43663] Fri, 15 August 2003 00:55 Go to previous message
gary
Messages: 35
Registered: January 2001
Member
Here's the pseudo-code for checking any user having a password the same as the username:

DECLARE
v_dummy number;
BEGIN
FOR user_rec in (select username from all_users) LOOP
BEGIN
execute immediate 'drop database link dummy';
EXCEPTION
WHEN OTHERS THEN NULL;
END;
execute immediate
'create database link dummy '||
'connect to '||user_rec.username||
' identified by '||user_rec.username||
'using ''dbname.world'' ';
begin
execute immediate 'select 1 from dual@dummy'
return into v_dummy
dbms_output.put_line('Evil:'||user_rec.username');
exception
when others then null;
end;
end loop;
end;

If you don't have CREATE DATABASE LINK privilege then you probably shouldn't be doing this sort of pentration test !

Report message to a moderator

Previous Topic: Changing user's Password
Next Topic: insufficient priv's
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Jan 24 07:33:56 CST 2025
.:: Forum Home :: Blogger Home :: Wiki Home :: Contact :: Privacy ::.